1

I'm programming an algorithm for calculating the inverse of a polynomial in $(\mathbb{Z}/3\mathbb{Z})[X]/(X^N-1)$. In this ring of truncated polynomials, the maximum degree of a polynomial is $N-1$, so each polynomial is represented by an array of $N$ componentes that takes into acount all the coefficients of the powers of $X$ and the constant term.

However, the code I'm writing is based on the paper "Almost Inverses and Fast NTRU Key Creation", writen by Joseph H. Silverman, where the algorithm for this ring uses a polynomial $g(X)$ that is initialized as $g(X) := X^N-1$. At first, I represented this polynomial with an array of length $N+1$, but this seems to be wrong, because at some moment in the algorithm this polynomial must be exchanged with another one that has ony $N$ components, which I think it makes no sense.

What is the correct way of representing this $g(X)$? Could someone make a bit of explanation on the different operations that appear on this algorithm?

SrJaimito
  • 439
  • 1
    Isn't $g(X)$ just $0$ in your ring $(\mathbb{Z}/3\mathbb{Z})[X]/(X^N-1)$ because you are quotienting out by an ideal generated by that element? By way of analogy, in modular arithmetic, $k$ is equal to $0$ (modulo $k$) in $\mathbb{Z}/k\mathbb{Z}$. – Teddy38 Jan 18 '21 at 11:13
  • @Teddy38 That's something I have been thinking about, but in the initialization of the algorithm some other polynomials are just initialized to $0$ directly without using the $X^N-1$ expression, so this confused me. Though, probably it just means $0$. – SrJaimito Jan 18 '21 at 11:16
  • 1
    Just skimmed the paper - I presume it is this one: https://ntru.org/f/tr/tr014v1.pdf ... It looks like they are not really working in $(\mathbb Z/3\mathbb Z)[X]/(X^N-1)$ but in $(\mathbb Z/3\mathbb Z)[X]$ and they are performing something similar to Euclidean algorithm for gcd of $g(X)=X^N-1$ and $a(X)$ (which is what you would do anyways to find the inverse of $a(X)$). Thus, no wonder that polynomials of degree $\ge N$ feature in this calculation. The highest degree that is featuring there might be $N$, in which case you can reserve $N+1$ memory locations to represent each polynomial. –  Jan 18 '21 at 11:17
  • @StinkingBishop Ok I understand your point. Will I still get a polynomial with degree $N-1$ at the end of the algorithm while I let it to use polynomials with higher degrees? – SrJaimito Jan 18 '21 at 12:00
  • @Jaime_mc2 Well, yes, in step 5 you are meant to output $\pm X^{N-k}b(X)\pmod{X^N-1}$, however, I would need to spend a lot more time to see if at each step $b(X)$ is kept at the degree $\lt N$ (and so only the last multiplication is $\pmod{X^N-1}$), or the steps 10 and 13 need to be done $\pmod{X^N-1}$ too. In any case, taking remainder $\pmod{X^N-1}$ is easy, no matter how many times you need to do it. (E.g. remainder of $\pm X^{N-k}b(X)\pmod{X^N-1}$ is just $b(X)$ cyclically shifted $N-k$ times.) –  Jan 18 '21 at 12:10
  • See my remark here for nice ways to view this algorithm (meant to answer here long ago but time was short). – Bill Dubuque Apr 19 '21 at 20:17

0 Answers0